how to search a database with a stored procedure?

[wilco]

hello,

can any one tell me how to create a stored procedure that is beable to
search a table, or more table's and can make use of wildcards?
i just made somthing like this,:
SELECT * FROM tblUsers WHERE Adress LIKE '* Value from user how wants to
search the database *'
but I don't know where to place the @??? for the input
i also wants to make the user can select witch table and field he want's to
search.

thanks!!

 

[Jerry III]

And when you do it like this someone will sumbit "%' GO DELETE tblUsers --"
in your input box and wipe out your table (if the database user has enough
privileges to do so).

A better solution is to use the command object, like this:

OleDbCommand cmd = new OleDbCommand();

cmd.CommandText = "SELECT * FROM [tblUsers] WHERE [Address] LIKE @address";
cmd.Parameters.Add("@address", "%" + txtAddress.Text + "%");

Jerry

 

[Xavier MT]

Can I ask what is the difference?

I just want to understand it....

And when you do it like this someone will sumbit "%' GO DELETE tblUsers --"
in your input box and wipe out your table (if the database user has enough
privileges to do so).

A better solution is to use the command object, like this:

OleDbCommand cmd = new OleDbCommand();

cmd.CommandText = "SELECT * FROM [tblUsers] WHERE [Address] LIKE @address";
cmd.Parameters.Add("@address", "%" + txtAddress.Text + "%");

Jerry

Dim sAddress as String
sAddress=txtAddress.text
SQL = "SELECT * FROM tblUsers WHERE Adress Like '%" & sAddress & "%'"

Put the % sign on the front and at the end, in order to search the entire
field

Check out this 2 Part Tutorial on Parameterized Queries:
http://aspnet101.com/aspnet101/tutorials.aspx?id=1

LIKE is covered in Part 2

David Wier
http://aspnet101.com
http://aspexpress.com


want's
to